Devices will fail to install apps for some reverse proxy deployments using MS Threat Management Gateway (TMG).
The network security rules for TMG are not set to "Forward the original host headers."
Open TMG and check the box to "Forward the original host headers" as outlined below.
The XML AirWatch sends to the device to do an application install (manifest.plist) dynamically generates the URL for the device to download the .ipa file from by inspecting the host headers in the App download request from the device and building the XML url based on that.
A problem arises because the client uses one URL (e.g. https://air.mlab.com/) and the XML sends another one to devices (e.g. https://airwatch.glab.com/) which fails from the internet. The reason is because of the setup: The device connects HTTPS to a Reverse Proxy and the RP connects HTTPS to the AirWatch server.